Privacy tiers
Every request executes under one of three tiers. The default comes from the
API key; you can override per-call with the sable_privacy_tier body field.
| Tier | Routing | Use case |
| --- | --- | --- |
| standard | Encrypted in transit, software isolation. The model host sees the prompt. | Throughput-bound workloads, public data. |
| confidential | Runs inside an attested Intel TDX enclave — the host can't see the prompt. Live for sable-confidential-24b. | Agent memory, business data. |
| sovereign | Confidential + jurisdiction-pinned routing. | Regulated data, sovereign deployments. |
# Pin a request to a specific privacy tier.
resp = client.chat.completions.create(
model="sable-deepseek-v3",
messages=[{"role":"user","content":"Summarize this filing"}],
extra_body={"sable_privacy_tier": "sovereign"},
)The honest version, tier by tier
standard is encrypt-in-transit. The request is decrypted at one
auditable egress frame and sent to a model host that runs it
and sees the prompt. You still get: no prompt or completion stored anywhere,
logs that hold only metadata, a signed receipt, and
region pinning that's actually enforced. The host seeing the
prompt is the limit of what software isolation can promise — which is why
confidential exists.
confidential is live for sable-confidential-24b. That model runs inside
an attested Intel TDX enclave (with NVIDIA H100 confidential computing) on an
attested backend. Before routing, the gateway cryptographically verifies the
enclave's TDX quote against a pinned measurement; after the response, it
verifies a per-response signature from the key bound into that quote. Both
results are stamped into your signed receipt as an
attestation block (verification: "tee-attested", response_bound: true) — so
you can confirm, yourself, that your request ran in a real enclave the host
could not see into. A confidential request for a model we can't attest is
refused, never silently downgraded to a plaintext host.
One operational consequence of that fail-closed rule, stated plainly: when the
enclave workload is redeployed upstream, its attested measurement changes, and
the gateway refuses confidential requests (HTTP 502,
attestation_failed) until we verify the new build and re-pin. During such a
window standard traffic is unaffected; the confidential tier's live posture is
always visible on /status and GET /v1/attestation. Build agents
that use this tier to handle a 502 by retrying later — not by falling back to
standard silently (that decision should be yours, not ours).
What's still ahead: more confidential models, and moving the enclave from an
attested third-party backend to hardware Sable measures itself (so the trust
root is our binary, not the backend's attestation). sovereign adds
jurisdiction pinning on top — the region-pinning half is already
enforced and recorded in the receipt today.
Closed, vendor-hosted models are a harder limit. Anything with
open_weight: false in /v1/models, like OpenAI's
gpt-4o-mini, is standard tier only: it runs on the vendor's own servers, so
encrypt-in-transit is as far as its privacy can ever go.